CVE-2022-4063

CRITICAL EXPLOITED NUCLEI

InPost Gallery <2.1.4.1 - Code Injection

Title source: llm

Exploitation Summary

CVE-2022-4063 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including im-hanzou. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2022-4063, an unauthenticated Local File Inclusion (LFI) to Remote Code Execution (RCE) vulnerability in InPost Gallery < 2.1.4.1. The exploit leverages PHP filter chains to achieve RCE via base64 encoding and decoding techniques.

Description

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.

Exploits (1)

nomisec WORKING POC 2 stars

by im-hanzou · remote

https://github.com/im-hanzou/INPGer

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2022-4063, an unauthenticated Local File Inclusion (LFI) to Remote Code Execution (RCE) vulnerability in InPost Gallery < 2.1.4.1. The exploit leverages PHP filter chains to achieve RCE via base64 encoding and decoding techniques.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: InPost Gallery < 2.1.4.1

No auth needed

Prerequisites: Target running vulnerable InPost Gallery plugin · Access to the target's admin-ajax.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress InPost Gallery <2.1.4.1 - Local File Inclusion

CRITICALVERIFIEDby theamanrawat

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7

Scores

CVSS v3 9.8

EPSS 0.0952

EPSS Percentile 94.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-11-13

CWE

CWE-22

Status published

Products (1)

pluginus/inpost_gallery < 2.1.4.1

Published Dec 19, 2022

Tracked Since Feb 18, 2026